UPDATE 2/7/15: Go visit the updated article.
The new EU General Data Protection Regulation is on its way. The EU Parliament approved the text in March. The new EU Commission president has recently given a time scale of 6 months to conclude negotiations with member states. Some reckon it won’t be in force until 2017. Others say it could be as early as next year.
Cloud providers – are you ready?
1. Cloud providers will be caught directly
New obligations will extend to cloud providers as “data processors”. While the primary obligations will still fall on the customer as “data controller”, cloud providers will have to maintain certain documents and cooperate with the supervisory authority.
2. Mandatory breach notification
If you leak or lose customer data, the customer will not be able to keep silent and will have to notify the supervisory authority. Customers will be keen to ensure they don’t have to notify by ensuring the provider keeps the data secure in the first place. But if there is a problem, expect them to name and shame you. Of course, some providers must notify under existing regs.
3. Massive fines
Fines for the most serious breaches could be up to 5% of global turnover. Data breaches could become very expensive all of a sudden. Customers are likely to seek reassurances from providers and may look to get them to carry this loss if they are the cause. Expect contract wrangling on this point.
4. Data Protection officer
The customer will have to appoint someone as their data protection officer and inform its users of who that is. In turn they may ask the provider to nominate someone to answer data protection queries. This need not be a new role but providers should be prepared to give someone the responsibility.
There’s more. Such as the need to register with only one body across the whole EU rather than, potentially, all of them. There’s also the real “right to be forgotten” that will be enshrined in law, not just the halfway house one under the Google case. Again, these will primarily fall on cloud customers who store data with you. Customers may also scrutinise more closely whether the provider is truly data protection compliant and not just using Safe Harbor as a pretty but useless badge.
I suggest you get ready for the changes now while there’s still time.
[…] New data reg: 4 things all cloud providers need to know […]
[…] 4 key issues for cloud providers under the forthcoming Data Protection […]
[…] The new EU Data Protection Regulation is nearing completion in advance of the meeting of the justice ministers on June 15 & 16 with a new consolidated text and a suggestion that it might be passed in December 2015. However, there are reports over haggling between EU member states over some of the provisions so there may be some last minute changes. Here are 4 ways it will affect cloud providers. […]
[…] year I wrote about the key issues cloud providers need to know about the new EU General Data Protection Regulation. This is the new EU-wide legislation that will […]